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Agenda 

• In aspect of: 

- Looking Internals 

- Security Evaluation 

- Exploitation 

• Introduction - Windows Phone 7.x 

• System Implementation 

• Reverse Engineering 

• Exploitation, Part I and II 

• Analysis & Conclusion 
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Is it good? 

INTRODUCTION: 
WINDOWS PHONE 7.X 




^ m FFW 

Windows Phone 7.x 

• Operating System based on Windows Embedded CE 6.0R3 (core) 
and Windows Embedded Compact 7 (some features) 

• Strong App Sandbox to protect system and user 

- No native code allowed (in general) 

• Unlike iOS, executable memory is permitted 

- Capabilities and Chambers 
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Windows Phone Apps 

• Packaged in XAP (actually ZIP) format 
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Application Information in SL-XAP 


AppManifestxaml 





Silverlight part 


.NET (Silverlight) based code 


Application Information 


DRM (PlayReady) Metadata 


WMAppManifest.xml 


WMAppPRHeader.xml 


WPInteropManifest.xml 


native_app. dll 


Exists if app use native code 


WP7 

specific 

part 
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Capabilities 
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• Resources which apps are authorized to use: 

- Devices ( \D_CAP_[ISV_CAMERA\MICROPHONE\SENSORS ]) 

- Identification (ID_CAP_IDENTITY_[DEWCf| USER ]) 

- Web Browser (ID_CAP_WEBBROWSERCOMPONENT )... 
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FFW 

Capabilities 



Citation from: 

http://www.windowsphone.com/en-US/apps/82a23635-5bd9-df11-a844-00237de2db9e 
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Capabilities 

• Resources which apps are authorized to use: 

- Devices ( \D_CAP_[ISV_CAMERA\MICROPHONE\SENSORS ]) 

- Identification (ID_CAPJDENTITY_[D£WC£|DS£/?]) 

- Web Browser (ID_CAP_WEBBROWSERCOMPONENT )... 

• Undocumented Capabilities 

- Only selected vendors can use these "privileges" 

- File Type Association 
(ID_CAP_FILEVIEWER) 

- Native Code and Interop Services 
(ID_CAP_INTEROPSERVICES) 
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Chambers 
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Isolate app/driver policies by separate chamber 


Kernel and some Drivers 


1 


Trusted Computing Base (TCB) 



Dynamic privileges by capabilities 
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Conclusion 

• These looks modern, secure and well-designed. 
- We need to know how good they are. 
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How Windows Phone 7 Operating System works? 

SYSTEM IMPLEMENTATION 
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Low Layer Implementation 

• OS Mechanisms 

- Process Memory 

- Protected Server Libraries 

- Security System (incl. Sandbox) 


FFRI 

\ 


12 




^ m FFW 

How we analyzed the system? 

• An unlocked Windows Phone device 

- We mainly used "HTC 7 Mozart" 

• Custom Native COM DLL 

- http://forum.xda-developers.com/showthread.php?t=1299134 

- Native COM DLL for Windows Phone 7 can be 
created using Windows Mobile 6 SDK 

• Reverse Engineering (later) 
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Process Memory Layout 


FFRI 

\ 


User VM 


Shared 

DLLs 


RAM- 

backed 

Map 




Kernel Memory 


PSL 


UserKData 


• Similar to Windows Embedded CE 6.0 

- User VM (0x00100000-0x3fffffff) 

- Shared DLLs (0x40000000-0x5fffffff) 

• Contains common DLLs 

- RAM-backed Map Files (0x60000000-0x6fffffff) 

• Contains common files including some .NET assemblies 

- ...and specific system areas 
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Process ASLR (1) 
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Shared DLLs 
bottom 


Mapped 

Files 

bottom 



• Stack / Executable / Heap (LocolAlloc) / Virtual Memory (VirtualAlloc) 

- Randomized every launch 

- 64KiB granularity, chosen from 64+MiB low memory range 

(estimated entropy: about 10-bits) 

- Issue: Only base addresses are randomized 

(no random "gap" between two allocations - unlike Linux's mmap) 

• Some (uncommon) DLLs are loaded in low memory range 

- Also randomized every launch 
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Process ASLR (2) 
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Shared DLLs 
bottom 


Mapped 

Files 

bottom 



• Shared DLLs / Memory Mapped Files 

- Randomized every boot 

- Mapped to RANDOM_BASE_ADDRESS + CONST_OFFSET? 

(Optimized for Performance; or just no "shared gaps") 

- 64KiB granularity, chosen from 64MiB memory range 

(estimated entropy: about 10-bits) 
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System Calls -> Protected Server Library (PSL) calls 

• "Branch" specific address (Trap Address) and cause trap 

- Exception handler determines PSL calls 

(by identifying address which caused the exception) 

- Kernel launches proper PSL routine 

(kernel mode procedure / user-mode handier) 

• Trap Address is Randomized (ASLR for system call) 

- PSL_TRAP_SEED (part of shared memory called UserKData) 

• Randomized every boot 

• 4-bytes granularity, chosen from IMiB specific memory range 

(Maximum entropy should be around 18-bits but seems non-uniform) 

- note that location of UserKData is NOT randomized 

• UserKData is located at 0xffffc800 
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Making PSL: Handling in the system 
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Making PSL: Disassembly 
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.text:000DF934 
.text:000DF934 
.text:000DF934 
.text:000DF934 
.text:000DF938 
.text:000DF938 
.text:000DF93C 
.text:000DF93E 
.text:000DF940 
.text:000DF942 
.text:000DF946 
.text:000DF948 
.text:000DF94C 
.text:000DF94E 
.text:000DF950 
.text:000DF952 
.text:000DF954 
.text:000DF956 
.text:000DF958 
.text:000DF95A 
.text:000DF95C 
.text:000DF95E 


EXPORT xxx_UnmapViewOfFilelnProcess 

xxx_UnmapViewOfFiIeInProcess ; DATA XREF: .text:off_1209C8io 

LDMMIIA RO1, {RO, R2, R3, R5, R8, R11,SP-PC}" 

CODE16 

R11, SP, 40x10 
R4, RO 

R5, =0xFFFFC854 ; &PSLTRAP_SEED 
R6, R1 
R4, 41 
Ioc_DF962 
R4, 40x10000 
Ioc_DF962 

R3, =0xF101FFF0 ; OxFIOIFFFO (trap address of UnmapViewOfFilelnProcess) 
R2, R4 

PSLTRAP.SEED 


ADDW 

MOVS 

LDR 

MOVS 

TSTJ 

BNE 

CMP.W 

BLS 

LDR 

MOVS 

LDR 

MOVS 

MOVS 

MOVS 

EORS 

BLX 

MOVS 


R4, [R5] 
R7, 41 
R1, 40 
R0, 40 
R3, R4 
R3 

R4, R0 


OxFIOIFFFO ~ PSL_TRAP_SEED == trap address 


19 




wmmmmmmm ^^^^^^^ m FFRJ 

Process ASLR: Evaluation 

• Almost all process memory areas are randomized 

- Except shared data regions like UserKData 

(there's no FS segment register in ARM!) 

• However: Only Base addresses are randomized 

- This behavior will make Heap Spray (or similar techniques) 
easier and more reliable 

- At most about 70MiB? 
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Security System in WP7 
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• Policy Engine 


• Security Loader 




...and more 


Apps (TaskHost.exe) 


Running applications 
(related components) 


Kernel 


Policy Engine 


.7 s 


Security Loader 


Access Control 


Prevent untrusted 

(sandbox) 


files to be loaded 
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Policy Engine (1) - PolicyEngine.dll 

• Actual Access Control 

- Policy Database 

- Policy XML file 

• Principle of "Least Privilege" 

• ¥Windows¥BasePolicy.xml 

- Policy definition for whole system 

- Generated by merging (guid).po\\cy.xrr\\ 
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Policy Engine (2) - XML format 

• <CeSecurityPolicyFile> 

- <Macro> (defines common macro) 

- <Account> (defines account and account group) 

• <MemberOfGroup> 

- <Rule> (policy definition) 

• <Authorize> / <Stop> (permit or reject operations) 

- <Match> 

• Achieves Program Isolation 
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Security Loader - LVMOD 

• Following modules can run on default configuration: 

- Modules inside ROM 

(Stored PE [XIP] files may have invalid signature but that's fine) 

- Modules Authenticode-signed by Microsoft 

(including Windows Phone Marketplace files) 

• Developer Unlock 

- Authorizes limited number of apps (modules) 
having no Authenticode signature 

• Some checks are done by Package Manager 

- lvmod.dll checks whether "DeveloperUnlockState" 

registry key is 1 and (conditionally) allows unsigned modules if 
developer-unlocked 
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Don't fall into the ditch! 

REVERSE ENGINEERING 
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Reverse Engineering Windows Phone 7 OS 

• It's not a black box. 

- Reverse Engineering is possible even if 
you don't actually own the device 

• There are some obstacles but can be cleared 

- We created "WP7 Helper Tools" to make analysis easier. 

• It's not difficult. 

- ...if you understand the tools 
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Retrieving Files 

• Types: 

- OS image for recovery 

- Web-based Updater (which Zune downloads) 

• These files should be fixed before using IDA Pro 
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Fixing Files (1) - OS image 

• Windows CE ROM can contain PE files in 
XIP (eXecute-In-Place) format 

- Headers are converted to its original one (E32/032 header) 

• struct e32_rom / o32_rom 

- Image contents are aligned but the original file 
seems to be an unaligned PE file (1) 

• WP7 Helper Tools :: unpack-xip.py 

- Accept dump generated by ImgFsToDump/xidump 

(http://forum.xda-developers. com/showthread.php ?t=572673) 


(1) Found while observing IMAGE_DEBUG_DIRECTORY. 
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Fixing Files (2) - Web-based Updater 

• Zune retrieves updater CAB files from Microsoft website 

- It contains PE files! 

• Unaligned (and a bit corrupted) PE file 

- Section is not aligned (!= OptionalHeader.FileAlignment) 

- Some section sizes are corrupted 

• WP7 Helper Tools :: unpack-updater.py 

- Accept ordinal (but unaligned) PE file 

- Realign the file to make IDA Pro analyze the file correctly 
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IDA Pro bug (1) - Auto Analysis Failure 


FFRI 

\ 


• Found IDA Pro (6.1-6.2) analysis bug for WP7 modules: 
- What?! 


.text:0001C6C4 ; =============== SUBROUTINE 

.text:0001C6C4 
.text:0001C6C4 


.text:0001C6C4 
.text:0001C6C4 start 
.text:0001C6C4 


EXPORT start 

; DATA XREF: .pdata:000264C0io 
PUSH.W {R4-R7.R11,LR] 


.text:0001C6C4 ; End of function start 


.text:0001C6C4 
.text:0001C6C8 
.text:0001C6CC 
.text:0001C6CE 
.text:0001C6D0 
.text:0001C6D2 
.text:0001C6D4 
.text:0001C6D8 
.text:0001C6DA 
.text:0001C6DC 
.text:0001C6DE 
.text:0001C6E0 
.text:0001C6E4 


mm 

MOVS 

MOVS 

MOVS 

MOVS 

BL 

MOVS 

MOVS 

MOVS 

MOVS 

BL 

POP.W 


This is not supposed 
to be here... 


R7, R0 
sub_1C7FC 
R3, R4 
R2, R5 
R1, R6 
R0, R7 
sub_1C674 
[R4-R7.R11.PCJ 


This is the real end 
of the function. 
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IDA Pro bug (2) - Exception Table (PE/ARMI) 


• IDA Pro did not correctly handle LSB of Begin Address 

- Conflict with Auto Analysis and result in early function ends 

• WP7 Helper Tools has an option to avoid this issue (-p) 

- Reported this issue to Hex-Rays 

- Fixed in IDA Pro version 6.3 


Begin Address 


Flags... 



1 if Thumb function 
(like program counter) 
This confuses IDA Pro. 


Same as LSB of 
Begin Address 
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IDA Pro bug (2) - Exception Table (PE/ARMI) 

• IDA Pro did not correctly handle LSB of Begin Address 

- Conflict with Auto Analysis and result in early function ends 

• WP7 Helper Tools has an option to avoid this issue (-p) 

- Reported this issue to Hex-Rays 

- Fixed in IDA Pro version 6.3 


Bugfixes 

BUGFIX: 'produce exe' command was inviting the user to overwrite the current idb file 
BUGFIX: .pdata section of PE files for ARMI architecture was not parsed correctly 

BUGFIX: added a workaround for integer overlow in 'operator new []' if compiled with GCC 

BUGFIX: AF2_STKARG option was ignored by the analysis engine 

BUGFIX: an attempt to create a huge segment that can not be created could corrupt the database in some cases 
BUGFIX: ARM: more correct frame setup in Thumb mode (local variables were lumped together with saved registers) 
BUGFIX: automatic database snapshots were not working if no snapshots existed before 

Citation from http://www.hex-rays.eom/products/ida/6.3/index.shtml 
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IDA Pro bug - Effects by Fixing 
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Before: 


i «nrr 

1 m 

After: 



IE 


EXPORT start 
start 

PUSH.W {R4-R7.R11,LR] 

; End of function start 




POP.W {R4-R7,R11,PC} 

; End of function start 


Attributes: noreturn bp-based frame 




EXPORT start 
start 

PUSH.W {R4-R7,R11,LR] 

ADDW R11, SP, #0x10 

MOVS R4, R3 

MOVS R5, R2 

MOVS R6, R1 

MOVS R7, R0 

BL sub_119B4 

MOVS R3, R4 

MOVS R2, R5 

MOVS R1, R6 

MOVS R0, R7 

BL subj 17D8 


It's "no return" 
function so it's fine. 
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IDA Pro tip - Symbols (1) 
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• Most of debug symbols can be retrieved! 

- WP7 Helper Tools fix debug directory (with -d option) 

- http://msdl.microsoft.com/download/symbols 

• Load PDB file after you load and analyze the program 

- Loading PDB files first will result in auto-analysis failure 


Load PDB when you open the file 

I I HI .1 ■ 1 i :l . I I INI '1111:11 II I i I I 


Load PDB using "File" -> "Load file" -> "PDB file" 

i i in hi in i i ■ mi in mi iii 11 .in ri 
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IDA Pro tip - Symbols (2) 
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• Loading PDB files may corrupt analysis 

• To solve this: 

1. Analyze program 

2. Acquire the list of "Thumb" functions using IDAPython 

3. Disable Auto Analysis 

4. Load PDB file 

5. Make "Thumb" functions "Thumb" functions 

(fix sideeffects by loading PDB file, using IDAPython) 

6. Enable Auto Analysis and Reanalyze Program 
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Demo (WP7 Helper Tools + IDA Pro) 
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Appendix: Reverse Engineering for WP7 package 

• Downloading Applications 

- Marketplace Browser and Downloader for Windows Phone 7 

(http://mktwp7. codeplex. com/) 

- We can also use "Unlocked" device to 
retrieve installed application images 

(apps are installed on "¥ApplLcatLons¥lnstall¥{product-id}") 

• Reverse Engineering 

- IDA Pro (.NET or native) 

- .NET Reflector 

(http: //www. reflector, n et/) 
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Native code seems vulnerable... but really? 

EXPLOITATION, PART I 
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How about Exploitability? 

• Memory Protection (kernel / native components) 

- DEP: good 

- ASLR: not bad 

(except no random "gap") 

- Executable Memory: not good as iOS 

(executable memory may be unsigned) 

• Memory Protection (.NET) 

- DEP: ? 

- Executable Memory: ? 

• Native Code / Native Modules 

- How these are used? 
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Usage of Memory in .NET 

• Strings: 

- Dynamic strings are allocated in the VM (access == RWX) 

- Low randomization on heap/VM 

- Strings may be frequently used in the program 

• Possibility of "String" Spray 

- Spraying executable code as UTF-16LE strings 

(each string must be unique) 

- Low memory footprint because of low randomization 

(estimated: 70MiB at most) 

• Conclusion: Attacking native components 

using .NET might be possible 
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Native Code in Apps 

• Very few Apps have Native code 

• Most of "native" apps are OEM or career's one 
but non-OEM apps include: 

- Adobe Reader 

- Tango Video Calls 

• Can native code be vulnerable? 
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Finding Vulnerabilities (in general) 

• Static Analysis 

- Using IDA Pro 

• Dynamic Analysis 

- Trace and instrumentation with JTAG or something... 

- Fuzzing 

• I have planned to do this before I find... 
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What?! 
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□ [O] Hex View-A 


TB~ 


Aaoress 

[v] .text:100B2EE0 
v] .text:100B2DAC 
v] .text:100B2C84 
gl .text:100B2C34 
V] .text:100B2E18 
tV] .text:100B2C14 


3 = 

i‘si .da 


_ data: 10226994 
3U .data:102269B0 
jvl .data : 102269C8 


Lenqth 
00000028 
00000028 
000000IF 
000000IE 
00000021 
000000ID 

0000000F 
00000009 
OOOOOOOA 


strinq 

%3d %3d %3d %3d %3d %3d %3d %3d 
%4u %4u %4u %4u %4u %4u %4u %4u 
Component %d: %dhx%dv q=%d 
Component %d: dc=%d ac=%d 
with %d x %d thumbnail image 
Ss=%d, Se=%d, Ah=%d, Al=%d 

#cdata-section 
#comment 
#document 


.. 


Signature of vulnerable zlib... 
What program did such... 
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What?! 
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(not publicly disclosed) 
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Vulnerability in (not publicly disclosed) 

• CVE-2005-2096 

- Buffer overflow vulnerability in zlib before 1.2.3 

- (not disclosed yet) uses zlib 1.2.1 

• Heap Overflow 

- Destroys inflate_state struct allocated by zalloc 

• Overwritten address range can be controlled 
but overwrite pattern cannot (always "invalid" signature) 

- (redacted)'s zalloc function just calls COREDLL's malloc 

- COREDLL's malloc uses LocalAlloc to allocate memory 
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Privilege escalation with third-party components 

EXPLOITATION, PART n 
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Policy Flaw? - ID.CAPJNTEROPSERVICES 

• Undocumented Capability ID_CAP_INTEROPSERVICES 
allows "third-party service" access 

- Some third-party (and non-OEM) apps declare this capability! 

• e.g. Tango Video Calls 

- Why such application have to do so? 

• ID_CAP_INTEROPSERVICES allows OEM driver access 

- I have no good feelings about OEM drivers... 

• Many "rooting" vulnerabilities in OEM drivers 
are found in various Android devices... 

- Some OEM drivers allow "backdoor" access 
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Policy Flaw? - Breaking Chambers 
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Trusted Computing Base (TCB) 



Other Apps' 
Storage 


Isolated Storage 


Vulnerable OEM Drivers 


Interop 

Services 


ID_CAP_INTEROPSERVICES 
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Looking at Demo Device - HTCRegUtility.dll 

• Allows registry access 

- Ability to change system settings without permission 

• Latest version: fixed 

- By restricting registry access 
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Looking at Demo Device - HTCFileUtility.dll 
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• Allows file system access bypassing sandbox/chamber 

- Ability to steal user/system information 

• Latest version: Directory traversal vulnerability 

- HTCFileUtility.dll checks whether supplied path has specific 
(hardcoded) prefixes but there's no other verification © 
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Looking at Demo Device - HTCUtility.dll 

• Allows RAW RAM read/writes using DeviceloControl 

- Ability to gain kernel mode privileges 

- Detailed in great work by Alex Plaskett 

• Latest version: fixed 

- By removing related features 
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Demo (What will happen then?) 
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• Windows Phone is designed secure 

- But some OEM drivers seem to be unconcerned about security 

• This might be a big difference between Android 

- Bad designs, vulnerabilities 

• Privilege (Capability) separation is important 

- Microsoft should have been separated 
OEM capabilities correctly... 
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Anyway, is Windows Phone 7 secure? 

ANALYSIS & CONCLUSION 
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Analysis - Summary 

• Sandbox / Application System 

- Designed secure, conforming "Principle of Least Privilege" 

• Exploitation (Native Code) 

- Designed well but some concerns here 
(regarding insufficient ASLR and .NET memory usage) 

• Exploitation (OEM components) 

- If the app with ID_CAP_INTEROPSERVICES capability is 
vulnerable, it may result in sandbox bypass. 
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Conclusions 

• Windows Phone 7.x OS' sandbox is very strong 

- Conforming "Principle of Least Privilege" 

• Interop Services and Native Code could be a design failure 

- OEM Code and vulnerable native apps 
might threaten users (depends on devices) 

- It {have to | will} be fixed in Windows Phone 8 
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Windows Phone 8 
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• Shared Windows Core 

- NT kernel is conning. 

- Expecting strong memory protection 


Native Code access and a new framework 

- Minimize ID_CAP_INTEROPSERVICES attack surface 

- May minimize applications which require such privilege 
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Thank you! 

Updated and Detailed slides will be available at our website! 
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